Question

Locked

Port 25, SpamBot and Exchange Server 2007

By ben.rattigan ·
I appear to have a spambot running on the same server which is hosting my email, I have blocked port 25 for all other PC's on my network which is behind a checkpoint firewall. The firewall log appears to show a lot of outbount port 25 activity which does not match the exchange server logs for outbound mail and all the port 25 activity is coming from my mail server (according to the firewall logs).

I have tried running CA Etruct Antivirus, ESET Smart Security, Windows Defender and currently running the Microsoft Malicious Software Removal Tool.

I need to restrict through either thw Windows Firewall, ESET ESS firewall or some other firewall (suggestions please) outbound port 25 connections to Exchane Server 2007 ONLY. I also need to know how to get rid of this spambot, I check the CBL blacklist which tells me I have the Cutwail spambot.

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Hijackthis log

by ben.rattigan In reply to Port 25, SpamBot and Exch ...

This is the Hijackthis log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:17, on 03/06/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 SP2 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
\Program Files\ESET\ESET Smart Security\x86\ekrn.exe
\Program Files (x86)\ESET\ESET Remote Administrator\Server\era.exe
C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files (x86)\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
d:\Program Files (x86)\PaperCut Print Logger\pcpl.exe
C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\syswow64\snmp.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 132.179.100.40:3128
F2 - REG:system.ini: UserInit=userinit
O1 - Hosts: 192.200.200.2 sgwedom1.gweutilitysolutions.co.uk
O1 - Hosts: 192.200.201.60 fglops.fpshamilton.com
O1 - Hosts: 132.179.100.197 fglfinance.fastflowgroup.co.uk
O1 - Hosts: 132.179.100.193 fglstore.fastflowgroup.co.uk
O4 - HKCU\..\Run: [VxBeMon] "C:\Program Files\Symantec\Backup Exec\RAWS\vxmon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O15 - ESC Trusted Zone: http://ardownload.adobe.com
O15 - ESC Trusted Zone: http://www.adobe.com
O15 - ESC Trusted Zone: http://ai.aintermail.net
O15 - ESC Trusted Zone: http://www.albany.co.uk
O15 - ESC Trusted Zone: http://www.applecore99.com
O15 - ESC Trusted Zone: http://forums.asp.net
O15 - ESC Trusted Zone: http://www.asp.net
O15 - ESC Trusted Zone: http://rmd.atdmt.com
O15 - ESC Trusted Zone: http://view.atdmt.com
O15 - ESC Trusted Zone: http://www.awprofessional.com
O15 - ESC Trusted Zone: http://www.bacs.co.uk
O15 - ESC Trusted Zone: http://news.bbc.co.uk
O15 - ESC Trusted Zone: http://newsimg.bbc.co.uk
O15 - ESC Trusted Zone: http://www.bbc.co.uk
O15 - ESC Trusted Zone: http://customerconnect.ca.com
O15 - ESC Trusted Zone: http://supportconnect.ca.com
O15 - ESC Trusted Zone: http://supportconnectw.ca.com
O15 - ESC Trusted Zone: http://www.ca.com
O15 - ESC Trusted Zone: http://www3.ca.com
O15 - ESC Trusted Zone: http://www.computerperformance.co.uk
O15 - ESC Trusted Zone: http://www.direct.gov.uk
O15 - ESC Trusted Zone: http://a.dlqm.net
O15 - ESC Trusted Zone: http://ad.doubleclick.net
O15 - ESC Trusted Zone: http://ad.uk.doubleclick.net
O15 - ESC Trusted Zone: http://www.dyndns.com
O15 - ESC Trusted Zone: http://www.eggheadcafe.com
O15 - ESC Trusted Zone: http://www.eventid.net
O15 - ESC Trusted Zone: http://www.exchangeninjas.com
O15 - ESC Trusted Zone: http://www.experts-exchange.com
O15 - ESC Trusted Zone: http://www.google-analytics.com
O15 - ESC Trusted Zone: http://www.google.co.uk
O15 - ESC Trusted Zone: http://pagead2.googlesyndication.com
O15 - ESC Trusted Zone: http://welcome.hp-ww.com
O15 - ESC Trusted Zone: http://forums1.itrc.hp.com
O15 - ESC Trusted Zone: http://searchportal.information.com
O15 - ESC Trusted Zone: http://banman.isoftmarketing.com
O15 - ESC Trusted Zone: http://forums.kayako.com
O15 - ESC Trusted Zone: http://search.live.com
O15 - ESC Trusted Zone: http://shared.live.com
O15 - ESC Trusted Zone: http://img.mediaplex.com
O15 - ESC Trusted Zone: http://blogs.msdn.com
O15 - ESC Trusted Zone: http://forums.msexchange.org
O15 - ESC Trusted Zone: http://www.msexchange.org
O15 - ESC Trusted Zone: http://search.msn.co.uk
O15 - ESC Trusted Zone: http://ads1.msn.com
O15 - ESC Trusted Zone: http://ie.search.msn.com
O15 - ESC Trusted Zone: http://rad.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://db4.net-filter.com
O15 - ESC Trusted Zone: http://www.nokia.com
O15 - ESC Trusted Zone: http://www.ogc.gov.uk
O15 - ESC Trusted Zone: http://www.payaway.co.uk
O15 - ESC Trusted Zone: http://www.petri.co.il
O15 - ESC Trusted Zone: http://static.sky.com
O15 - ESC Trusted Zone: http://home.skysports.com
O15 - ESC Trusted Zone: http://forum.java.sun.com
O15 - ESC Trusted Zone: http://service1.symantec.com
O15 - ESC Trusted Zone: http://www.tamarsolutions.co.uk
O15 - ESC Trusted Zone: http://www.techgenix.com
O15 - ESC Trusted Zone: http://embed.technorati.com
O15 - ESC Trusted Zone: http://searchexchange.techtarget.com
O15 - ESC Trusted Zone: http://a.tribalfusion.com
O15 - ESC Trusted Zone: http://cdn5.tribalfusion.com
O15 - ESC Trusted Zone: http://www.uk-broadband-provider.co.uk
O15 - ESC Trusted Zone: http://www.itd.umich.edu
O15 - ESC Trusted Zone: http://seer.support.veritas.com
O15 - ESC Trusted Zone: http://www.veritas.com
O15 - ESC Trusted Zone: http://m.webtrends.com
O15 - ESC Trusted Zone: http://statse.webtrendslive.com
O15 - ESC Trusted Zone: http://www.wikihow.com
O15 - ESC Trusted Zone: http://a.windowsitpro.com
O15 - ESC Trusted Zone: http://www.windowsitpro.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://shopping.yell.com
O15 - ESC Trusted Zone: http://www.yell.com
O15 - ESC Trusted Zone: http://us.js2.yimg.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: http://132.179.100.9
O15 - ESC Trusted IP range: http://167.102.240.9
O15 - ESC Trusted IP range: http://192.200.200.6
O15 - ESC Trusted IP range: http://132.179.100.192
O15 - ESC Trusted IP range: http://132.179.100.240
O15 - ESC Trusted IP range: http://132.179.100.7
O15 - ESC Trusted IP range: http://132.179.100.6
O15 - ESC Trusted IP range: http://132.179.100.242
O15 - ESC Trusted IP range: http://132.179.100.101
O15 - ESC Trusted IP range: http://132.179.100.2
O15 - ESC Trusted IP range: http://195.97.229.102
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172144296000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172152334296
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = fastflowgroup.co.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{83817C3B-7357-47CA-B75A-E34FB698FF8D}: NameServer = 132.179.100.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB804E87-5546-4953-9DF3-A923A2087D93}: NameServer = 132.179.100.191
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = fastflowgroup.co.uk
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Certificate Services (CertSvc) - Unknown owner - C:\WINDOWS\system32\certsrv.exe (file missing)
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: DNS Server (DNS) - Unknown owner - C:\WINDOWS\System32\dns.exe (file missing)
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - \Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - \Program Files\ESET\ESET Smart Security\x86\ekrn.exe
O23 - Service: ESET RA HTTP Server (ERA_HTTP_SERVER) - ESET - \Program Files (x86)\ESET\ESET Remote Administrator\Server\EHttpSrv.exe
O23 - Service: ESET Remote Administrator Server (ERA_SERVER) - ESET - \Program Files (x86)\ESET\ESET Remote Administrator\Server\era.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IIS Admin Service (IISADMIN) - Unknown owner - C:\WINDOWS\system32\inetsrv\inetinfo.exe (file missing)
O23 - Service: Kerberos Key Distribution Center (kdc) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~2\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files (x86)\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files (x86)\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: PaperCut Print Logger (PCPrintLogger) - PaperCut Software International Pty Ltd - d:\Program Files (x86)\PaperCut Print Logger\pcpl.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files (x86)\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files (x86)\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SNMP Trap Service (SNMPTRAP) - Unknown owner - C:\WINDOWS\System32\snmptrap.exe (file missing)
O23 - Service: File Server Storage Reports Manager (SrmReports) - Unknown owner - C:\WINDOWS\system32\srmhost.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)
O23 - Service: Windows Network Status Reporting Tool (WNSRTOOL) - Unknown owner - \Program Files (x86)\WNSRTool\wnsrtool.exe

--
End of file - 12184 bytes

Back to Networks Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums